Hackers of India

Hot knives through butter: Bypassing automated analysis systems

By  Abhishek Singh  , Zheng Bu  on 01 Aug 2013 @ Blackhat


Presentation Material

Abstract

Diamonds are girl’s best friend, prime numbers are mathematician’s best friend and automated analysis systems (AAS) are AV researcher’s best friend. Unfortunately, this fact is known by malware authors and hence techniques to evade automated analysis system are not only becoming an integral part of APT, but also many infamous malwares have resurrected and are using techniques to bypass the automated analysis system to stay under the radar.

The infamous Khelios botnet was claimed to be dead in 2011 and got resurrected . To evade the automated analysis system one of the sample aka Trojan Nap found in 2013, was employing SleepEx() API with a 10 minutes time out. Since automated analysis systems are set to execute a sample within a given time frame ,which is in seconds, by employing an extended sleep call, it could prevent an AAS from capturing its behavior. The sample also made a call to the undocumented API NtDelayExecution() for performing an extended sleep calls.

As per the report from Mandiant, infamous RAT Poison IVY has extensively been used in the targeted attacks and appeared to have been abandoned in 2008. Trojan UpClicker, reported in December 2012, a wrapper around Poison IVY, employs SetWindowsHookEX() API to hide its malicious activity. By sending 0EH as parameter to the function, the malicious code only gets activated when the left mouse button is clicked and released. Since in AAS there is no human interaction, the code remains dormant bypassing the AAS.

PushDo, yet another infamous malware, checks the build number of windows OS. Once it has determined the build number of windows OS. It finds a pointer to PspCreateProcessNotify() API routine to deregister all the callbacks. Once the callbacks have been deregistered, the malware can create or delete processes, bypassing process monitoring module of AAS.

Trojan Hastati was designed to wipe out all the hard drives of a computer in Korea. It used GetLocalTime() API to activate itself on March 20th 2013 at 2:00 P.M. If the sample is executed in an AAS before the 20th March 2013, it will not get executed and evades AAS.

UpClicker, PushDo, Hastati, Nap are some of the resurrected advanced malware and/or APT which are using anti evasion techniques to evade detections from AAS.

In first part of the presentation we provide an exhaustive list of techniques, API’s and the code segments from the APT and active malware, which are being used to bypass the AAS. We will also have live demonstration of some of the anti-analysis techniques, which have emerged in the recent past.

In the next part of the presentation we provide an in-depth, technical analysis of the Automated Analysis System technologies available today focusing on computer security aspect. It will provide a comparison framework for different technologies that is consistent, measurable, and understandable by both IT administrators and security specialists. In addition we also explore each of the major commercially available automated analysis system flavors and evaluate their ability to stand against these evasions. We will present an architectural decomposition of automated analysis systems to highlight its advantages and limitations, and historical view on how fast Anti-AAS techniques have been evolved so rapidly recently. This will kick start the conversation on how new vectors that are likely to be used by sophisticated malware to actively target AAS in the future.

AI Generated Summarymay contain errors

Here is a summarized version of the content:

The speaker is discussing the challenges of detecting and countering advanced malware threats,, (evasions) that use techniques such as version checks, sleep calls, and environmental evasions to evade detection. They emphasize that these evasions are not fictional and have been used in real-world attacks, including zero-day attacks.

The speaker notes that sandbox vendors have made progress in detecting some of these evasions, but the attackers continue to evolve and develop new techniques. They highlight the importance of understanding the context of an attack and correlating stateful behaviors to fully decrypt the attack lifecycle.

The speaker also emphasizes that file-based sandboxing is just a tool and not a silver bullet solution. Instead, a system that can correlate all of the stateful behaviors of an attack is needed to effectively address advanced malware threats.

Some key points mentioned in the speech include:

Overall, the speaker is emphasizing the need for a more comprehensive approach to detecting and countering advanced malware threats, one that takes into account the evolving nature of these threats and the importance of understanding context and correlating stateful behaviors.